Rockwell Automation FactoryTalk Historian ThingWorx

Act Now9.8ICS-CERT ICSA-25-142-02May 22, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Historian ThingWorx versions 4.02.00 and earlier are vulnerable to XML External Entity (XXE) injection attacks through improperly validated log4net configuration files. An attacker could exploit this to read arbitrary files on the server, access internal network resources, or execute code. This affects the 95057C-FTHTWXCT11 product line.

What this means

What could happen

An attacker could exploit an XML External Entity (XXE) injection flaw in FactoryTalk Historian ThingWorx through a malicious log4net configuration file, potentially gaining unauthorized read/write access to sensitive data or executing arbitrary code on the historian server.

Who's at risk

Water utilities and electric utilities that use Rockwell Automation FactoryTalk Historian ThingWorx for collecting, storing, and analyzing operational data from PLCs and field devices. Specifically affects version 4.02.00 and earlier. The historian is critical infrastructure that stores historical trends, alarms, and events used for operations monitoring and troubleshooting.

How it could be exploited

An attacker with network access to the FactoryTalk Historian interface could upload or inject a specially crafted log4net configuration file containing XXE payloads. The application parses this file without proper validation, allowing the attacker to read local files, access internal network resources, or execute code on the historian server.

Prerequisites

Network access to FactoryTalk Historian ThingWorx web interface or file upload endpoint
Ability to supply a malicious log4net configuration file (XML format)
No authentication required per CVSS vector (PR:N)

Remotely exploitableNo authentication requiredLow complexity attackCVSS 9.8 (critical)High EPSS score (49%)XML External Entity (XXE) injectionAffects data storage and logging infrastructure

Exploitability

High exploit probability (EPSS 49.0%)

Affected products (1)

ProductAffected VersionsFix Status

95057C-FTHTWXCT11: <=v4.02.00≤ v4.02.00v5.00.00

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement firewall rules to restrict network access to FactoryTalk Historian to only authorized engineering workstations and historian collection systems

WORKAROUNDDisable or restrict access to file upload and log4net configuration interfaces until patched

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk Historian ThingWorx (95057C-FTHTWXCT11) to version v5.00.00 or later

Long-term hardening

0/2

HARDENINGSegment the historian server behind a firewall, isolating it from the business network and Internet

HARDENINGReview and restrict remote access methods to the historian; use VPN with strong authentication if remote access is required

CVEs (1)

CVE-2018-1285

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3d07556d-6561-4a50-9d4e-f7d36491454a